Lateral SQL Injection in Oracle Database

Overview
=======

In order to get the system date in Oracle, you able to query for sysdate field in table dual.
SQL> select sysdate from dual;
SYSDATE
————–
15-SEP-11

SYSDATE format is set in: nls_date_format.

Following the publication: Lateral SQL Injection: A New Class of Vulnerability in Oracle, (http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) published by David Litchfield, FEB/2008.

This post provides an overview and a demonstration on how this issue is still easily exploitable in Oracle Database.

Vulnerability
=========

Nls_date_format allows input of any string without filtering.
Example:  alter session set nls_date_format = ‘”the time is:”… hh24:mi’

After running that command, the SYSDATE will …

I’m creating a library of benchmarks and test suites that will run as part of a Continuous Integration (CI) process here at Tokutek. My goal is to regularly measure several aspects of our storage engine over time: performance, correctness, memory/CPU/disk utilization, etc. I’ll also be running tests against InnoDB and other databases for comparative analysis. I plan on posting a series of blog entries as my CI framework evolves, for now I have the results of my first benchmark.

Compression is an always-on feature of TokuDB. There are no server/session variables to enable compression or change the compression level (one goal of TokuDB is to have as few tuning parameters as possible). My compression benchmark uses iiBench to measure the insert performance and compression achieved by …

 I ran into this issue a while ago, and was reminded of it again recently.  mysqldump uses a default charset of utf8, even when the default charset of the server is set differently.  Why does this matter?The problem exists more in the fact that if you have string data that is in latin1 format, you are allowed to put in non-Latin characters. This can lead to lost data, especially when upgrading a major series (e.g. 5.0 to 5.1 or 5.1 to 5.5), because you're supposed to export and import the data.Also, when importing a backup of an InnoDB table, if there is an error with one of the parts of the INSERT, the whole INSERT statement rolls back.  I have experienced major data loss because the garbled characters cause an error when INSERTed, and it causes perfectly fine data *not* to import because they're in the same INSERT …

Yeah, we know it’s 6 month from now – but we’ll give a lecture titled “Database Sharding on MySQL” at the Boston MySQL Meetup. Register here.

You might remember that MySQL was aquired by Sun, which later went into Oracle (who won’t? ). As usual in such a process network infrastructure is being merged to ease managing it. Such a merge is currently in process with the effect that previously publicly available servers are now behind Oracle’s firewalls. From a security point of view this is good news, not so for services that relied on this access. One of them is our copy of all old GUI tools repositories on Launchpad. These repositories have been made available 3 years ago when we prepared the switch to MySQL Workbench as our main product. The idea behind it was that anybody who is interested can work on the code and propose patches.

As you can see there this hasn’t worked out well. No merges were proposed during all the time, so we are going to use this interruption of the Launchpad mirroring to stop this …

In our last episode we covered sorting, searching and grouping. We found out that using the COUNT(*) can be problematic when we have unexpected NULL data. Now we look at how to resolve data issues by updating the data, and perhaps even the table schema. We'll use the same database we did for the last episode. You can download it here ».

Updating Data

Let's recap.  If we pull the list of books, and authors, we find that "The Broken Shore" from Peter Temple has no price.  Not that it has a zero price, but it has a NULL value.

mysql> SELECT CONCAT_WS(' ',`author`.`first_name`,`author`.`last_name`) AS `author`,
 `book`.`title`, `book`.`price`
 FROM `author` INNER JOIN `book` ON `author`.`id` = `book`.`author`
 ORDER BY `book`.`price`
 LIMIT 1; …

My colleagues and I are looking for extra talent – is that you?

What we do:help clients prevent problems (rather than being the fire department), we work on a subscription basis although we also do some ad-hoc consulting, and training. Apart from MySQL/MariaDB query and DBA work, we do quite a bit of system administration. Mainly Red Hat and Debian based distros, and expect to see replication and the MySQL-MMM multi-master system. You’d work from home, whereever it might be, so you will need to be self-motivating (but we do keep in touch online).

What we’re not: a full-time employer. With us, you make a life rather than a living. Everybody is contracted part-time. You can make enough to live comfortably, but that has nothing to do with hours. If you’re stressed about not filling all hours in your week with work-work-work, we’re not the company for you… there’s more to life than …

This post originally appeared on the Engine Yard blog. I work for Percona, a MySQL consulting company. To augment my memory, I keep a quick-reference text file with notes on interesting issues that customers ask us to solve. One of the categories of frequent problems is attempts to build a job queue in MySQL. I have so many URLs under this bullet point that I stopped keeping track anymore. Customers have endless problems with job queues in their databases.

Here’s a quick tip I know some of us has overlooked at some point. When doing SELECT … UNION SELECT, where do you put the the INTO OUTFILE clause? On the first SELECT, on the last or somewhere else? The manual has the answer here, to quote:

Only the last SELECT statement can use INTO OUTFILE. (However, the entire UNION result is written to the file.)

However, I still see queries going further lengths to the same effect. For example, putting the UNIONs into a subquery and then doing the SELECT INTO OUFILE from this. Using the employees.employees table:

mysql [localhost] {msandbox} (employees) > EXPLAIN SELECT * INTO OUTFILE '/home/viiin/sandboxes/msb_5_1_58p/outfile.txt'
-> FROM (
-> SELECT * FROM employees
-> WHERE hire_date BETWEEN '1990-01-01' AND '1990-01-02'
-> UNION ALL
-> SELECT * …

Last week we concluded our first Oracle Technology Network Sys Admin Day in Sacramento (CA). Well, it was actually the second Sys Admin Day, but the first one that had two parallel tracks of sessions about both Oracle Linux and Oracle Solaris.

I helped preparing for the event by creating the Linux lab handbook as well as the VirtualBox appliance of Oracle Linux 6.1 that was used for the exercises. Unfortunately I could not be there in person, but it would have been pointless for me to go on an intercontinental flight just for one day.

From the feedback we've received so far, the attendees really enjoyed the event and were positively surprised about the depth and quality of the practical hands-on lab sessions.

If you've missed the first one and happen to live …